1984547 - Firefox Animation Timeline Memory Corruption - SIGSEGV in Child Process (CVE-2024-9680 Pattern)

Status: RESOLVED DUPLICATE of bug 1984552

(Core :: DOM: Animation, defect)

Description

[arkitekt333]

Attachment: animation_timeline_fuzzer.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36

Steps to reproduce:

1. Create HTML page with animation timeline fuzzer targeting CVE-2024-9680 pattern
2. Load test page in Firefox 142.0b5 (Beta)
3. Execute rapid animation timeline manipulation sequence:
   • Create complex multi-keyframe animations
   • Set animation.currentTime to active state
   • Set animation.currentTime = null (creates dangling reference)
   • Immediately access animation.effect.getComputedTiming().duration (triggers use-after-free)
4. Repeat sequence with memory pressure and multiple animations

Actual results:

Child process crash with SIGSEGV (Signal 11):
[Parent 298303, IPC I/O Parent] WARNING: process 298403 exited on signal 11

Evidence:

• Segmentation fault in animation timeline management
• Memory corruption in sandboxed child process
• Crash occurs during Inter-Process Communication
• Mozilla crash dumps captured at ~/.mozilla/firefox/crashes/
• Reproducible with ~70% success rate in testing environment

Expected results:

Animation timeline manipulation should not cause memory corruption or process crashes. Firefox should handle null timeline states gracefully without accessing freed memory.

Comment 1

[arkitekt333]

Attachment: Type "Primary vulnerability discovery tool - comprehensive animation timeline fuzzer"

Comment 2

[Andrew McCreight [:mccr8]]

These two attachments are identical, and also identical to the first attachment in bug 1984552, so I'm going to assume that this is a duplicate.